RSEC-2026-001: Multiple Vulnerabilities in Lumiverse
Published: May 28, 2026
Affected Versions: <= 0.9.5
Fixed Version: 0.9.7
Vendor: prolix-oc
Product: Lumiverse
Technical write-up: https://alanifan.club/posts/its-just-a-chat-how-bad-could-it-be/
Overview
Lumiverse is an LLM chat frontend with built-in support for Model Context Protocol (MCP), custom themes, third-party extensions (via Spindle), SMB, and multi-user capabilities.
A review identified five vulnerabilities in Lumiverse which, when chained, could allow an attacker to achieve unauthozired remote code execution (RCE). Some of the vulnerabilities could also be exploited independently to achieve authorized RCE.
Lumiverse fixed these issues in version 0.9.7.
Vulnerabilities
| CVE | GHSA | Affected Component | Impact | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-44450 | GHSA-mfwv-ch2f-9j5v | MCP stdio | Authenticated server-side code execution through unsafe process arguments | 9.9 |
| CVE-2026-44451 | GHSA-rgp6-55rw-5xf4 | TSX theme components | Browser-origin code execution, chainable with MCP server RCE | 9.3 |
| CVE-2026-44444 | GHSA-8x98-3wjp-pmj9 | Spindle extension install/update | Server-side code execution through package lifecycle scripts | 9.1 |
| CVE-2026-44443 | GHSA-6fcp-x253-wwv7 | User creation | Unauthorized account creation during a nonce race window | 4.8 |
| CVE-2026-44449 | GHSA-4v38-9hqq-7j53 | SMB migration provider | Server-side command execution through smbclient command injection | 9.1 |
Impact
An attacker who successfully exploits the above vulnerabilities could execute arbitrary code on the Lumiverse server, which may lead to data exfiltration, or pivoting to other services reachable from the host. The MCP stdio vulnerability (CVE-2026-44450) was critical in multi-user deployments as any authenticated users could exploit it without elevated privileges.
The theme component override and sign-up nonce vulnerabilities could be chained with the MCP RCE vulnerability to achieve unauthenticated RCE in affected versions:
- a malicious theme override could execute JavaScript the victim’s authenticated Lumiverse browser context and call the MCP API
- an attacker who won the sign-up nonce race could obtain an account and then use the authenticated MCP RCE path
The theme component override vulnerability does require user interaction via enabling the TSX theme override in the UI, which does display the source code of the TSX component. However, as these theme packs can be imported from untrusted sources, an attacker could use social engineering to trick a user into importing a malicious theme pack and enabling the override.
Remediation
Upgrade Lumiverse to version 0.9.7 or later.
Operators of previously vulnerable deployments should review:
- unrecognized user accounts
- MCP profiles
- installed or recently updated Spindle extensions
- imported theme packs and enabled component overrides
- suspicious files, processes, or persistence on the host
If compromise is suspected, review the host and rotate secrets that may have been exposed outside Lumiverse’s encrypted secrets storage.
References
- https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-mfwv-ch2f-9j5v
- https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4
- https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-8x98-3wjp-pmj9
- https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-6fcp-x253-wwv7
- https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-4v38-9hqq-7j53
- https://alanifan.club/posts/its-just-a-chat-how-bad-could-it-be/
Timeline
- 2026-04-28: Initial report sent to the Lumiverse maintainers.
- 2026-04-29: Maintainers acknowledged the report.
- 2026-05-05: Vulnerabilities patched and GitHub security advisories were published.
- 2026-05-14: Public write-up published.